Commit Graph

245 Commits

Author SHA1 Message Date
nixbitcoin
81a1c3f908
service hardening: Add CapabilityBoundingSets
Whitelist with exceptions in webindex and onion-chef
2020-05-22 11:29:54 +00:00
nixbitcoin
3cd61506e0
webindex & onion-chef: Run non-network-facing services in PrivateNetwork 2020-05-22 11:29:07 +00:00
nixbitcoin
7c70dd43ac
All modules: Give service config precedence over defaultHardening
With '//' the latter takes precedence over the former in case of
equally named attributes.
2020-05-22 08:08:27 +00:00
nixbitcoin
b8e10afe18
recurring-donations: Run under recurring-donations user 2020-05-19 11:13:26 +00:00
nixbitcoin
5d01ea7101
nodeinfo: Convert to module and allow alternative operator username
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.

so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
2020-05-19 11:13:24 +00:00
nixbitcoin
95d230d1d6
Remove bitcoinrpc group remnants 2020-05-19 11:13:22 +00:00
nixbitcoin
563b210835
spark-wallet: Run under spark-wallet user 2020-05-19 11:13:20 +00:00
nixbitcoin
205fca3576
bitcoind: only make blocksdir group-readable when dataDirReadableByGroup 2020-05-19 11:13:18 +00:00
nixbitcoin
81a04a4ef1
lightning-charge: add dedicated user 2020-05-19 11:13:16 +00:00
nixbitcoin
0ba55757f8
clightning: allow group access to RPC socket 2020-05-19 11:13:12 +00:00
nixbitcoin
304dd297ba
clightning: remove config group read access 2020-05-19 11:13:05 +00:00
nixbitcoin
04c6936ce9
clightning: Remove clightning "bitcoinrpc" membership
Secrets are written to clightning config file during preStart with root
permissions because of PermissionsStartOnly.
2020-05-19 11:09:13 +00:00
nixbitcoin
393ab0fb3c
electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes
Electrs does not need to be a part of "bitcoinrpc" group because preStart
electrs.toml creation is handled by PermissionsStartOnly. "bitcoin"
group membership is only necessary when cfg.high-memory is enabled and
electrs reads blocks directly from the blocks directory.
2020-05-19 11:08:59 +00:00
nixbitcoin
7cfae66db4
electrs: Drop insecure TLS ciphers 2020-05-19 11:08:52 +00:00
nixbitcoin
4c139a6d77
electrs: Make TLSProxy truly optional
If TLSProxy is disabled, bypass nginx by forwarding Tor HS traffic
directly to electrs.
2020-05-19 11:08:48 +00:00
Erik Arvstedt
509fca5328
fix syntax error
Fixes #172
2020-05-06 12:13:32 +02:00
nixbitcoin
159f551b93
Remove bitcoin, clightning, electrs, liquid user home directory 2020-04-26 14:08:08 +02:00
nixbitcoin
742aef1e0f
Only set dataDirReadableByGroup if cfg.high-memory is enabled 2020-04-24 16:21:12 +02:00
Erik Arvstedt
4dc6c3ba5d
add option 'dataDirReadableByGroup'
These settings are now more accessible for users that don't use
nix-bitcoin's default node config.
Additionally, remove 'other' permissions via umask.
2020-04-16 15:55:34 +02:00
Erik Arvstedt
3e188238d0
only update bitcoin.conf when changed 2020-04-12 22:32:37 +02:00
Erik Arvstedt
08322eed9b
use [[ test 2020-04-12 22:32:37 +02:00
Erik Arvstedt
201fc33782
move line to relevant code section (blocks dir setup) 2020-04-12 22:32:37 +02:00
Erik Arvstedt
1f8fe310d0
remove option 'configFileOption'
It doesn't make sense for bitcoind users to completely redefine their
config file. Also, it's poorly named and the description is faulty.

This is a breaking change, but this option has probably no actual users.
2020-04-12 22:32:37 +02:00
Erik Arvstedt
4e5c1d7551
disable redundant logfile 2020-04-12 22:32:37 +02:00
Erik Arvstedt
a05551fd1c
improve config file formatting 2020-04-12 22:32:37 +02:00
Erik Arvstedt
5e81d60d63
improve formatting 2020-04-12 22:32:37 +02:00
Erik Arvstedt
d60a5aa4db
define rpc.users submodule inline
Improves readability.
2020-04-12 22:32:37 +02:00
Erik Arvstedt
1a2271fb14
remove unused variable 'hexStr' 2020-04-12 22:32:36 +02:00
Erik Arvstedt
4e92b1c818
remove redundant hardening options
These are already defined in nix-bitcoin-services.defaultHardening.
2020-04-12 22:32:36 +02:00
Erik Arvstedt
47fd6cd0f3
simplify ExecStart 2020-04-12 22:32:36 +02:00
Erik Arvstedt
64fc63cc40
remove pidFile
- service type "simple" is the default
- pidFile is not needed for service type "simple"
2020-04-12 22:32:36 +02:00
Erik Arvstedt
bceaa361ca
operator: allow reading systemd journal 2020-04-09 11:02:06 +02:00
Erik Arvstedt
145961c2de
fix operator authorized keys setup
This fixes these flaws in `copy-root-authorized-keys`:
- When `.vbox-nixops-client-key` is missing, operator's authorized_keys
  file is always appended to, growing the file indefinitely.
- Service is always added and not restricted to nixops-vbox deployments.
2020-04-09 11:02:06 +02:00
Erik Arvstedt
37b2faf63c
move systemPackages definitions to services
These are generally useful and shouldn't be limited to secure-node.nix.

Also, only add the hardware-wallets group when hardware wallets are enabled.
2020-04-08 17:35:14 +02:00
Erik Arvstedt
6c22e13b7f
copy-root-authorized-keys: use inline script definition 2020-04-08 17:35:14 +02:00
Erik Arvstedt
63c6fe3213
fixup! use '' for multi-line string 2020-04-08 17:35:14 +02:00
Erik Arvstedt
ab617946a9
extract variable 'cfg' 2020-04-08 17:35:13 +02:00
Erik Arvstedt
36c84d8360
add option clightning.onionport
Analogous to electrs.onionport
2020-04-08 17:35:13 +02:00
Erik Arvstedt
681dbaf328
move electrs.onionport option
Only used in secure-node.nix
2020-04-08 17:35:13 +02:00
Erik Arvstedt
74fbfa3a5d
use lib.optionals 2020-04-08 17:35:13 +02:00
Erik Arvstedt
ec6d33fbb6
rearrange code sections
Move services to the top, operator account setup to the bottom.
2020-04-08 17:35:13 +02:00
Erik Arvstedt
e16ddc9c77
extract 'mkHiddenService'
toPort equals port by default.
2020-04-08 17:35:13 +02:00
Erik Arvstedt
89d3d58850
use mkIf 2020-04-08 17:35:13 +02:00
Erik Arvstedt
85e52a06cb
improve grouping of suboptions 2020-04-08 17:35:12 +02:00
Erik Arvstedt
1a63f0ca6a
remove option 'services.nix-bitcoin.enable'
Users can enable the node config just by importing secure-node.nix
2020-04-08 17:35:12 +02:00
Erik Arvstedt
0f8b2e91fd
add nix-bitcoin.nix for backwards compatibility 2020-04-08 17:35:12 +02:00
Erik Arvstedt
28792f79dc
rename nix-bitcoin.nix -> presets/secure-node.nix 2020-04-08 17:35:12 +02:00
Jonas Nick
9239268ab6
Merge #136: Change the nix-bitcoin deployment from forking this repo to importing the module
b2e15c17b8 docs: Update to new deployment method (import instead of fork) (Jonas Nick)
5ed0284db9 Add fetch-release script (Jonas Nick)
c303cd47e4 Add push-release.sh helper (Jonas Nick)
705d187a35 examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)
65039be656 docs: Remove duplicate instructions (Jonas Nick)
455c5664c9 docs: Replace tabs with spaces (Jonas Nick)
8aa4714979 docs: Update NixOS version (Jonas Nick)
9df22a2764 add deploy-qemu-vm.sh example (Erik Arvstedt)
548ced1994 README: Add Example section (Jonas Nick)
44ccbb91d0 Clean up development shell.nix (Jonas Nick)
abcee651d3 add deploy-container.sh (Erik Arvstedt)
5dadea310c add deploy-nixops.sh (Erik Arvstedt)
0c74c365de mention performance loss with hardened kernel profile (Erik Arvstedt)
f3121892ef move main module import to configuration.nix (Erik Arvstedt)
0c0978c007 extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)
87d0286498 Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
2020-04-08 15:03:08 +00:00
Erik Arvstedt
b07c77f4a4
secrets.nix: remove obsolete comment 2020-03-29 18:51:34 +02:00
Erik Arvstedt
0c0978c007
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' 2020-03-24 21:43:21 +00:00